Bug Description

1. create a stack with nova flavor resource, the user has the role 'admin'
2. the stack create successful
3. modify the conf to enable reauth: reauthentication_auth_method=trusts
4. restart the heat-engine
5. update the stack, then an error raised: You are not authorized to use OS::Nova::Flavor
6. create a new stack with the same template(with nova flavor), an error raised: Policy doesn't allow os_compute_api:os-flavor-manage to be performed, the details: http://paste.openstack.org/show/482712/

Then I checked the conf of my devstack, found out the conf as bellow:
deferred_auth_method=trusts
trusts_delegated_roles='_member_'
reauthentication_auth_method=trusts(before step 3, this is the default value '')

As above codes, if we enable reauth, we reload the stack after storing it, and will use the new trust-context, but the trust we only delegate '_member_' role, so the policy did not allow to operate the resources which only allow administrator, in this case for nova flavor resource.

I don't agree with you. As above tests, if I disable reauth, the create and update are successful, only if I enable to reauth in this case, the create and update are failed. I'm thinking the conf 'trusts_delegated_roles' , we used it to create a trust which only for deferred action(such as resource signal), so this conf shouldn't be used for 'current' action(create/update), I suggest to create trust which inherit all roles for 'current' action, and create a trust which inherit subset roles configured by 'trusts_delegated_roles', the logic something like:
********stack.py************
def store():
......
defer_creds = None

If we enable reauth, we can't update the stack with a nova flavor resource, even if 'trusts_delegated_roles = []', due the stored_context has no roles, then the policy check for rule will fail:
"context_is_admin": "role:admin"
"resource_types:OS::Nova::Flavor": "rule:context_is_admin"

Currently we leave the context roles empty when loading the stored
context, even though there are roles associated with e.g the trust
scoped token used via loading the stored context. Loading the auth
ref and populating the roles from the token ensure any RBAC performed
on the context roles will work as expected.

Currently we leave the context roles empty when loading the stored
context, even though there are roles associated with e.g the trust
scoped token used via loading the stored context. Loading the auth
ref and populating the roles from the token ensure any RBAC performed
on the context roles will work as expected.

Change abandoned by Rico Lin (<email address hidden>) on branch: master
Review: https://review.openstack.org/269456
Reason: Hi, this patch stays untouched for few months, would like to abandon for now. Feel free to restore it if you still working on this. Thank you!